On Wed, Jan 26, 2011 at 3:25 PM, David Voit <da...@codersau.de> wrote:
>
> [...]
>
>>
>> and welcome on board :)
>>
>
> Thanks.
>
>
>>
>>
>>>
>>> [...]
>>>
>>
> It's not about encryption, it's about authentication. If you call a https
> site, all the traffic is still encrypted, even without a client cert.
> You are responsible, if you connect willingly to the bad guys. With shinken
> we have a problem, if the arbiter is not authenticated, couse it could send
> any shell code, to all instances after it.
>
Is it the set_allow_unknow_ca you talk about?
>
> [...]
>
>>
>>>
>>> Pyro is already not very smart, and you wanna make this even more dirty
>>> :p
>>>
>> Yes indeed. There are strange things. The server.pem and client.pem are
>> not very clear. you never know which one it is using, adn there is no Pyro
>> way to change the name of client.pem for example. It's not good but I didn't
>> find how to avoid this :(
>>
>
> client.pem is never used. Or do i overlook something?
>
I see it by looking at the open of the Pyro code, but I don't know why it is
really using it :(
>
>
>>
>> [...]
>>
>
> I share the points with you two guys. I only looked at shinken's ssl
> support like a webserver would do, etc. The setup of self-signed certs goes
> quicker, but on the managment side we pay the price. Leave it that way.
>
Yes, PKI is huge, but that why network admins are paid for after all ;)
>
>
>> [...]
>>>
>> Yes, it can be a very interesting feature :)
>> I don't know where is the best place for this (hook in setup.py or in the
>> packager code for installing)? Is ther a packager guy to help us on this
>> point? How is this thing manage in the other projects?
>>
>>
> I would say on both sides. setup.py for the developer and gentoo typed guy
> :-). The package way for everybody else.
> The apache2 package does this on suse (not checked, from memory).
>
I think we should manage it in only one place. Less efffort, more easy to
manage for us :)
>
>
>> We propose sample certificate that are good for crypt the channel for
>> dummies attack, but it's not safe enough (every one got them!) for true
>> attack in the real world. so auto-generation should be a good thing if we
>> achieve it.
>>
>>
> If every body on the world use the same private key, we need no encryption
> at all. We get exactly nothing.
>
We jsut bypass a dumb dump of the trafic, but yes, a even not so smart guy
will easily look at it with sample certs :)
>
>
> I think the point with set_allow_unknow_ca
>
> Is really a security problem. I will call the pyro guys.
>
Ok, let us know what they said. And if they have a clue on how use SSL with
Pyro4, it can be good too ;)
Jean
>
> David
>
> [...]
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Shinken-devel mailing list
Shinken-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shinken-devel
